Biometric Privacy – BIPA

October 2017

Four More Fingerprint Class Actions

All contain the allegations we’ve seen over, and over, and over…
‘EMPLOYER’ collected and stored plaintiff’s fingerprints without a written release, without disclosing a retention policy, and without defined disposal procedures, etc.
McGee v. RJW Transport [Cook Co. Circ. Ct.; 2017CH14077]
Ragsdale v. Paramount of Oak Park Rehabilitation & Nursing Center [Cook Co. Circ. Ct.; 2017CH13911]
Rapai v. Hyatt [Cook Co. Circ. Ct.; 2017CH14483]
Kiefer v. Bob Evans [10th Dist Circ. Ct.; 17-L-112]
jbho: The surge continues. Not much more to say than what I’ve already said below.

 

 

Yet Another Fingerprint Timekeeping Class Action

Freeman-McKee v. Alliance Ground
Class complaint – Alliance allegedly collected and stored plaintiff’s fingerprints as a part of an employee time-clocking process:
• without a written release,
• without disclosing a retention policy, and
• without informing her if biometric data would ever be permanently deleted.
[Cook Co. Circ. Ct.; 2017-CH-13636]
jbho: employers need to catch up on this new fertile ground for litigation. According to Law360, at least 26 employment related class actions have been filed.
https://www.law360.com/cybersecurity-privacy/articles/972212/the-new-wave-of-employee-biometrics-class-actions (subscription required)

Two More Biometric Timeclock Class Actions

Diaz v. Greencore (Peacock Foods)
Lundsteen v. Superior Air-Ground
Two class complaints were filed in early October. Both involve employer collection of fingerprints for work time tracking. The complaints contain the common allegations of failure to inform employees in writing of collection, purpose of use, how long retained, destruction practices, as well as a failure to get a valid consent under BIPA. The complaint against Superior alleged collection and use of the finger vein patterns in addition to fingerprints.
[Diaz v. Greencore – Cook Co. Sup. Ct.; 2017-CH-13198]
[Lundsteen v. Superior Air-Ground – Cook Co. Sup. Ct.; 2017-CH-13253]
jbho: all you have to do is copy and paste, and you’ve got a new class action.

September 2017

Photo Scanning Lawsuit Will Continue

Monroy v. Shutterfly
Motion to dismiss denied – Shutterfly allegedly collected and stored plaintiff’s facial biometrics (derived from a photograph) when a photo of him was uploaded (by an undisclosed party) to Shutterfly. Plaintiff further alleged Shutterfly extracted his biometrics, and associated with his biometrics with additional information regarding his gender, age, race, and geographical location. Plaintiff claimed he was not a Shutterfly user, was unaware of the collection, was never provided with the statutorily required disclosures, and never consented to the collection or storage of his biometric information.

Shuttterfly claimed:
(1) BIPA did not apply to information obtained from photographs
(2) BIPA could not be applied extraterritorially
(3) Plaintiff failed to allege actual damages

The court found:
(1) While information obtained from a photograph was not ‘biometric information,’ a scan of face geometry obtained from a photograph did constitute a ‘biometric identifier.’ There was no requirement under BIPA for a scan to be performed in person, as other courts have found (e.g., Rivera v. Google [N.D. Ill; 1:16-cv-02714]).
(2) Plaintiff sufficiently alleged an Illinois nexus, since the photo was uploaded by a citizen of Illinois from a device physically in Illinois. Although plaintiff was a Florida resident, and Shutterfly was a Delaware corporation, it was unclear where scanning or storage took place, and discovery would be needed to get a clearer picture of the circumstances around plaintiff’s claims – at which point Shutterfly’s extraterritoriality argument could be addressed.
(3) A showing of actual damages was not necessary to state a claim under BIPA. The right of action under 740 ILCS 14/20 provided for liquidated damages or actual damages. The allegations of invasion of privacy were sufficient to survive a motion to dismiss.
[N.D. Ill; 1:16-cv-10984]
jbho: note that Shutterfly settled a nearly identical action for an undisclosed amount (Norberg v. Shutterfly, N.D. Ill; 1:15-cv-05351). In both cases, plaintiffs were represented by CAREY RODRIGUEZ MILIAN GONYA, LLP.

Customer Facial Scan Class Action

Morris v. Wow Bao
Class complaint – Wow Bao, and its corporate parent Lettuce Entertain You, allegedly used facial biometrics to authenticate purchases at self-serve checkouts, but failed to:
• inform plaintiff (and other consumers) in writing biometric information was being collected or stored
• inform plaintiff (and other consumers) of the specific purpose of use
• publicly post Wow Bao guidelines for permanently destroying biometric information
• publicly post how long biometric information would be kept
• receive a written consent from plaintiff (and other consumers) as required under BIPA
[Cook Co. Circ. Ct.; 2017-CH-12029]
jbho: a reminder to provide clear and conspicuous notice of collection, purpose of use, sharing, retention, and destruction practices for biometric data. Probably best to include in both your user agreements / privacy policies and Just-In-Time notices where written consent is obtained.

As the number of BIPA actions rise, the complaints are starting to look templatized. Compare this complaint to Howe v. Speedway below. Both suits were filled by the same firm.

Another Employee Fingerprint Class Action

Howe v. Speedway
Class complaint – Speedway allegedly required employees to use fingerprints to ‘clock-in’ and ‘clock-out’ of work, but failed to:
• inform plaintiff (and other employees) in writing biometric information was being collected or stored
• inform plaintiff (and other employees) of the specific purpose of use
• publicly post Speedway guidelines for permanently destroying biometric information
• publicly post how long biometric information would be kept
• receive a written release from plaintiff (and other employees) as required under BIPA
Plaintiff further claimed biometric information was shared with Speedway vendor Kronos, and alleged Kronos committed the same failures listed above.
[Cook Co. Circ. Ct.; 2017-CH-11992]
jbho: same comments as above. Insulate yourself from copy/paste complaints by buttoning up your disclosures and consent flows.

June 2017

Grocer Tagged With Another Class Action For Employee Fingerprint Tracking

Doporcyk v. Roundy’s
Class complaint – Roundy’s allegedly forced plaintiff to use his fingerprints to clock ‘in’ and ‘out’ of his work shifts, despite the fact he was a salaried employee. Plaintiff further alleged Roundy’s failed to:
• inform him of the specific purpose(s) for which his biometric information was being collected or stored
• inform him how long his biometric information would be kept
• publicly disclose a retention schedule and how biometric information would be permanently destroyed
• obtain a written release from him evidencing his consent and use his (or class members) biometric information
Roundy’s also allegedly disclosed biometric information to an out-of-sate third-party vendor.

Plaintiff also filed wrongful termination claims, stemming from his concerns that his Roundy’s location was performing glucose tests without following proper hygiene procedures, and without proper lab ‘certifications’ in place. Plaintiff claimed he was terminated when he began investigating the ‘certification’ status of other Roundy’s locations.
[Cook Co. Sup. Ct.; 2017-CH-08092]
jbho: In this case, the BIPA claims are probably the less scandalous, but due to the private right of action the more profitable?

No shortage of drama here. The case makes for an interesting read, if nothing else.

Note that this is the second employment related BIPA case I’ve seen against Roundy’s (see below).

May 2017


Class Action Against Employer Using Fingerprints To Track Workforce

Baron v. Roundy’s
Class complaint – Roundy’s supermarkets allegedly forced employees to use fingerprints to clock ‘in’ and ‘out’ of their work shifts. Plaintiff’s alleged Illinois employees are required to submit fingerprints, but Roundy’s failed to:
• inform employees in writing that a biometric identifier or biometric information was being recorded, obtained, collected or stored
• inform employees in writing the specific purpose(s) for which biometric information was being recorded, obtained, collected or stored
• inform employees in writing the retention period for biometric identifiers or biometric information
• inform employees in writing how biometric identifiers or biometric information would be destroyed
• obtain employees’ proper written consent to the recording, collection, obtainment or storage of their biometric identifiers and biometric information derived therefrom
• obtain a written release from employees executed as a condition of employment
Plaintiff’s further alleged existing Illinois employees were retroactively required to submit fingerprints without proper notice and consent.

The case was removed to federal court 11 May 2017.
[N.D. Ill; 1:17-cv-03588(Orig: Cook Co. Cir. Ct.; 2017CH03281)]
jbho: Roundy’s was acquired by Kroger’s in 2015. BIPA was enacted in 2008, and it appears Roundy’s was scanning fingerprints back in 2013. I wonder if BIPA considerations were part of the M&A due diligence? One we should add to our checklists…

February 2017

Video Game Maker Survives BIPA Face-Off

Vigil v. Take-Two
Dismissed with prejudice – Take-Two allegedly failed to provide adequate notice and consent for collection, storage, use, and retention of plaintiff’s biometric data. Plaintiffs used the ‘MyPlayer’ feature to create in-game characters with their faces. Plaintiffs followed in-game instructions (approximately a 15 minute process) after agreeing to the following terms and conditions:

Your face scan will be visible to you and others you play with and may be recorded or screen captured during gameplay. By proceeding you agree and consent to such uses and other uses pursuant to the End User License Agreement. http://www.take2games.com/eula

Plaintiffs alleged the disclosure was insufficient to inform them their biometric data was being captured, thus negating any consent. They further argued they could not return the opened game, and would not have purchased the game had they been adequately informed. Additionally, plaintiffs allege Take-Two failed to publicly provide a retention schedule or guidelines for destruction of biometric data. Finally, plaintiffs alleged the suffered economic losses in the form of misappropriation of their biometric data.

The court found:

  • Take-Two only used the biometric data as both parties intended
  • The game functioned exactly as plaintiffs expected (they agreed to the terms and scanned their faces)
  • Any deficiencies in the notice were bare procedural violations
    • that the notice used the term ‘face scan’ rather than ‘biometric identifier’ (“a statutory term of art”) had no real impact on BIPA interests
  • Plaintiffs should have expected the face scan would need to be stored in order to use their faces in game play
    • “a merely procedurally deficient notice does not automatically invalidate any resulting consent”
  • Plaintiffs’ alleged apprehension based on hypothetical misuse was too speculative and abstract to support standing (citing Clapper v. Amnesty International: “(plaintiffs) cannot manufacture standing merely by inflicting harm on themselves based on their fears of hypothetical future harm that is not certainly impending.”)
  • Appropriation claims failed since plaintiffs consented to the face scans (particularly since plaintiffs failed to allege Take-Two had used their facial scans to promote or advertise its game, or otherwise profit by using or selling their data).
  • There was no intrusion since plaintiffs consented to the face scans
  • Unlawful retention alone, absent some form of alleged disclosure or misuse, did not constitute a concrete injury (plaintiffs did not allege their face scans had been obtained or misused).
  • Benefit of the bargain arguments failed since
    • plaintiff pled no breach of contract or unjust enrichment claims
    • legal compliance is not ordinarily presumed to be part of a contractual bargain
  • The court also found that under Illinois law, to be ‘aggrieved’ meant more than just a ‘zone-of-interest’ nexus; there must be a direct link between the statutory violation and the resultant harm.

The court found further amendment to the FAC would be futile, and dismissed the complaint with prejudice.

UPDATE: 21Nov2017 – The 2nd Circuit has affirmed the dismissal. The appellate court ruled plaintiffs consented to the scans after seeing the necessary (written) disclosures and sitting for the 15 minute face scanning process. As for failing to inform plaintiffs of retention and destruction policies, plaintiffs failed to allege any harm, or that Take-Two had not, or would not, destroy their biometric information. Finally, on the level of security implemented by Take-Two, plaintiffs failed to allege any material risk that their biometric data would be improperly accessed by third parties. Since fear, without more, was insufficient to confer an Article III injury-in-fact, the district court did not err in dismissing the case for lack of subject matter jurisdiction. However, since the court lacked subject matter jurisdiction, it could not dismiss the claims with prejudice. The case was remanded to be dismissed without prejudice.

[2nd Circ.; 17-303]
[S.D. N.Y.; 1:15-cv-08211]
jbho: a detailed opinion that I believe can help plan disclosures and policy items around BIPA compliance – well worth a dive into the 50 page opinion. And it’d be great to have someone double check my work.

As I see it, lessons here include:

  • If data use falls within the realm of consumer expectations, you may not need to worry about minor wording choices in your notice
    • however, statements still can’t be misleading or deceptive
  • If you don’t share, there is no harm
    • still best to destroy data on a regular schedule, even if it’s not called out in your notice
  • If someone is surprised by how your product works after-the-fact, let them return the product – even if it falls outside your normal refund policies (consistent with OTA IoT guidelines)

Bottom line: it appears consent is dispositive. With no misuse, all that remains are ‘bare procedural violations’?

 

Native Photo App Needs More Scrutiny

Rivera v. Google
Motion to dismiss denied – Google, through its built-in android ‘Google Photos’ app, allegedly applied a proprietary facial recognition technology to every photo uploaded by the app. Google then allegedly used the face templates to organize and group photos, irrespective (allegedly) of whether the face belongs to a Google Photos user or non-user.

• Plaintiff Weiss, who purchased a Google ‘Droid’, claimed Google used his face template to recognize his gender, age, race, and location.
• Plaintiff Rivera, who claims to have never had a Google ‘Droid’, claimed Google user her face template to recognize her gender, age, race, and location.

Google allegedly did the above without informing either plaintiff, without obtaining written consent, and without specifying retention policies and destruction guidelines as required under BIPA.

On Google’s claim information derived from photographs is not covered under BIPA (740 ILCS 14/10), the court found a straight forward reading of BIPA indicated that Google was creating Biometric Identifiers (“scan of … face geometry”). The scans do not necessarily have to be performed live [“(I)t is unlikely that the statute sought to limit the definition of biometric identifier by limiting how the measurements are taken.” (emphasis in original)] Once discovery revealed what Google was actually doing, it could be determined that the Google’s process was not creating Biometric Identifiers. But at the motion to dismiss phase, Plaintiffs’ allegations must be taken as true.

On Google’s claim the contested activity did not take place in Illinois, the court found it persuasive that plaintiffs were Illinois residents, photos were taken in Illinois, and uploaded to the cloud in Illinois. Even if the scanning took place outside of Illinois,
more information was needed on the totality-of-circumstances to determine if Illinois law applied.

On Google’s claim BIPA conflicts with the federal Constitution’s Dormant Commerce Clause, the court found that again that more information was needed to determine whether the activity occurred wholly outside Illinois.

[N.D. Ill; 1:16-cv-02714]
jbho: wow – 20 pages of dicta on the definitions of biometric identifier and biometric information, including analysis of the legislative process in developing BIPA. Very informative and worth the read if you have time.

For the record, 740 ILCS 14/10 says:
Sec. 10. Definitions. In this Act:
“Biometric identifier” means a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry. Biometric identifiers do not include … photographs … demographic data, tattoo descriptions, or physical descriptions such as height, weight, hair color, or eye color. (emphasis added)
“Biometric information” means any information, regardless of how it is captured, converted, stored, or shared, based on an individual’s biometric identifier used to identify an individual. Biometric information does not include information derived from items or procedures excluded under the definition of biometric identifiers.

December 2016

First Settlement Reached Under Illinois’ Biometric Law

Sekura v. LA Tan
$1.5M settlement approved – LA Tan allegedly used fingerprint scanning technology to identify its customers in a membership database, but failed to: 1) obtain written consent 2) provide information about how it would store the biometric data and 3) if/when/how the data would be destroyed. No alternative to the fingerprint was offered. Highlights include:
• $1,500,000 settlement fund
• $125 for each class member
• $5,000 for class representative
• $600,000 for class counsel (%40 of settlement fund)
LA Tan must also either put processes in place to comply with BIPA or destroy all biometric data it still holds.
[Circuit Court of Cook County; 2015-CH-16694]
jbho: In the absence of clear guidance, it may be worth considering to: 

  • Provide clear and conspicuous notice of the collection, purpose of use, and potential disclosures of information that might be considered ‘biometric’
    • cover in both your user agreement and privacy policy
  • Obtain express consent of the individual
  • Provide clear and conspicuous notice of opt-out procedures
  • Specify your retention practices

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s